Username lists

Generic Wordlist

ls /usr/share/seclists/Usernames

cirt-default-usernames.txt              README.md
CommonAdminBase64.txt                   sap-default-usernames.txt
Honeypot-Captures                       top-usernames-shortlist.txt
mssql-usernames-nansh0u-guardicore.txt  xato-net-10-million-usernames-dup.txt
Names                                   xato-net-10-million-usernames.txt

locate names.txt

/opt/useful/SecLists/Usernames/Names/names.txt

SecLists/Usernames at master · danielmiessler/SecListsGitHub

wordlist/usernames.txt at master · jeanphorn/wordlistGitHub

Unix

ls /opt/tools/metasploit-framework/data/wordlists/ | grep unix    

unix_passwords.txt
unix_users.txt

Windows

GitHub - insidetrust/statistically-likely-usernames: Wordlists for creating statistically likely username lists for use in password attacks and security testingGitHub

jsmith.txt and a lot of usefull usernamelist like service-accounts.txt test-accounts or top-formats.txt

/opt/tools/metasploit-framework/data/wordlists/namelist.txt 

AD User Naming Convention

joe.smith
jmith
joesmi

Active Directory User Naming ConventionsActive Directory Pro

Username Convention	Practical Example for Jane Jill Doe
firstinitiallastname	jdoe
firstinitialmiddleinitiallastname	jjdoe
firstnamelastname	janedoe
firstname.lastname	jane.doe
lastname.firstname	doe.jane
nickname	doedoehacksstuff

Often, an email address's structure will give us the employee's username (structure: username@domain). For example, from the email address jdoe@inlanefreight.com, we see that jdoe is the username.

A tip from MrB3n: We can often find the email structure by Googling the domain name, i.e., “@inlanefreight.com” and get some valid emails. From there, we can use a script to scrape various social media sites and mashup potential valid usernames. Some organizations try to obfuscate their usernames to prevent spraying, so they may alias their username like a907 (or something similar) back to joe.smith. That way, email messages can get through, but the actual internal username isn’t disclosed, making password spraying harder. Sometimes you can use google dorks to search for “inlanefreight.com filetype:pdf” and find some valid usernames in the PDF properties if they were generated using a graphics editor. From there, you may be able to discern the username structure and potentially write a small script to create many possible combinations and then spray to see if any come back valid.

Custom wordlist

$ ./username-anarchy -i /home/ltnbob/names.txt

username-anarchy John Marston          

john
johnmarston
john.marston
johnmars
johnm
j.marston
jmarston
mjohn
m.john
marstonj
marston
marston.j
marston.john
jm

./username-anarchy Bill Gates > bill.txt

Also with only one user, we can extract the list of all users - See Netexec - CME and SMB (445, 139)